Palo Alto Networks has shared guidance for resolving a recently disclosed critical security flaw impacting PAN-OS and being actively exploited.
The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to achieve unauthenticated remote shell command execution on sensitive devices. The issue has been fixed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.
There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024 by a threat cluster tracked as UTA0218.
The activity, codenamed Operation MidnightEclipse, involves using the flaw to eliminate a Python-based backdoor called UPSTYLE that can execute commands passed through specially crafted requests.
The intrusions have not been linked to a known threat actor or group, but it is suspected to be a state-backed hacking team given the cunning and victimology observed.
The latest repair recommendations offered by Palo Alto Networks are based on the extent of the compromise:
- Level 0 probe: Failed exploitation attempt: Update to the latest hotfix provided
- Level 1 test: Evidence of vulnerabilities being tested on the device, including creating an empty file on the firewall but no unauthorized command execution – Updated to the latest hotfix provided
- Potential Exfiltration Level 2: Signs where files like “running_config.xml” are being copied to a location accessible via web requests: Update to the latest hotfix shipped and perform a private data restore
- Level 3 Interactive Access: Evidence of running interactive commands, such as introducing backdoors and other malicious code: updating to the latest shipped hotfix and performing a factory reset
“Performing a private data recovery eliminates the risks of potential misuse of device data,” Palo Alto Networks said. “A factory reset is recommended due to evidence of more invasive threat actor activity.”